Global cyber-attack: a wake-up call

The WannaCry ransomeware attack on Friday - a cyber attack on an unprecedented scale – is affecting organisations around the world. This article contains advice for members.

The key points are:

Members are well positioned to take a lead in the co-ordination of a response to a cyber incident.

Organisations wanting detailed advice on how to respond should visit the National Cyber Security Centre (NCSC) website.

Another attack could be imminent and organisations should ensure their security is up to date.

Members should use this incident to review their cyber insurance options.

Cyber incident

Last Friday's cyber-attack was unprecedented in its scale, indiscriminate in its targets. The cyber-attack first broadcast Friday 12 May has affected organisations around the world, including some parts of the NHS in the UK, Germany's rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia's interior ministry.

The attack relates to version 2 of the “WannaCry” malware affecting a wide range of organisations globally. From initial investigations and analysis performed to date, we know that the malware:

encrypts files;

provides the user with a prompt which includes a ransom demand; and

includes a countdown timer and bitcoin wallet to pay the ransom into.

The ransomware (software that blocks access to data until a ransom is paid), was combined with a worm application (a programme that replicates itself in order to spread to other computers). This was allowing the infection of one computer to quickly spread across the networks. That is why we're seeing the number of incidents continue to increase. Experts say another attack could be imminent and have warned people to ensure their security is up to date.

Cyber risk resilience

Microsoft described the incident as a “global wake-up call” for governments to focus their attention on cyber security and for organisations to maintain their software application.

The National Cyber Security Centre (NCSC) is working with affected organisations and partners to investigate and coordinate the response in the UK.

The guidance on the front page of the NCSC website gives detailed advice on what businesses and individuals should do to protect themselves.

This guidance reinforces the NCSC message, which advises victims to report to Action Fraud and states that "we encourage the public not to pay the ransom demand". It also sends a message out to the perpetrators to say that "cyber criminals may believe that they are anonymous but we will use all the tools at our disposal to bring them to justice".

The NCSC has advised Airmic that this last message is really important on the basis that the NCSC need credible deterrence as part of their cyber security armoury - the fact is that they do identify and catch people, which is why they think it is important for victim companies to engage law enforcement and not assume that they should simply mitigate as best they can and move on.

Airmic members are well positioned to take a lead in the co-ordination of a response to a cyber incident across their organisation. While there may not be a completely satisfactory response to a crisis situation, a crisis handled poorly can exacerbate the costs of an event, particularly given that the financial and reputational harm caused by failures is now amplified by social media in a “sound-bite world”. As risk managers, you should be asking: are your cyber incident crisis plans up to date, and do people know where plans are and what their roles might be? This latest incident is on the radar.

Cyber risk insurance

Over 50% of Airmic members report that they do not buy cyber insurance cover (Airmic pre-conference survey, 2016). Members cite several reasons for this: their organisation would prefer to spend on internal cyber controls; the absence of meaningful capacity; the high cost of cover; and uncertainty over what coverage entails, including whether claims would be paid.

Airmic members are recognising that relevant covers are becoming available from insurers writing cyber insurance. Typical modules of cover include:

First party damage and business interruption, including: replacement and restoration costs after damage to data; systems and potentially physical property; and loss of profits and additional costs of working following damage;

Incident response, including: support to the organization following a cyber incident; forensic costs; crisis management support; legal costs; and public relations costs;

Extortion, including: cyber extortion negotiation and ransom costs; cover for restoring data / system access where a ransom is not paid.

If Airmic members have not already done so, they are encouraged to review the cyber insurance market. The incident last Friday highlights that the next organisation to be affected by a cyber incident could be yours.